Thursday, June 04, 2009

Links and stuff

First off...for anyone who purchased a copy of Windows Forensic Analysis Second Edition at the TechnoSecurity conference...I'd greatly appreciate it if you'd post a review on Amazon! Thanks!

Richard Bejtlich has an interesting post regarding incident ratings. I find Richard to have well-thought out and -reasoned views, and this is yet another example of that. When writing CSIRPs, we include things such as incident severity ratings for classification and escalation purposes, so having something like this, while perhaps a little complex for many organizations, is very important.

JL's been nice enough to post on some CEIC stuff. Thanks for posting and making these materials available!

Over on OffensiveComputing, there's a link for OfficeMalScanner, which scans Office documents for malware, embedded PE files, and OLE streams. If VB code is found, it's reportedly extracted for analysis. This sounds pretty cool and a good thing to have in your toolkit, along with other means for malware detection.

The eEvidence site has been updated again! Christine has a way of finding some really cool papers and presentations...while they may not always be brand-spanking new, they are definitely topical and well worth reading and discussing.

Ed posted some good command-line kung fu for getting user and group information from a live system. For post-mortem analysis, I use RegRipper's samparse plugin for not only parses out the user information, but also the group membership information, as well. Another interesting bit of analysis you can use this for is to determine all local users on the system; dumping the contents of the ProfileList key (from the Software hive) or during a 'dir' on the Documents and Settings directory will give you the list of users with profiles on the system, but this will not distinguish between local and domain users.

According to SANS, the key ingredient to team development! Amen to that!

No comments: